Xinwen Fu

Yue Zhang, Jian Weng, Rajib Dey et al.

To defeat security threats such as man-in-the-middle (MITM) attacks, Bluetooth Low Energy (BLE) 4.2 and 5.x introduce the Secure Connections Only mode, under which a BLE device accepts only secure paring protocols including Passkey Entry and Numeric Comparison from an initiator, e.g., an Android mobile. However, the BLE specification does not explicitly require the Secure Connection Only mode of the initiator. Taking the Android's BLE programming framework for example, we found that it cannot enforce secure pairing, invalidating the security protection provided by the Secure Connection Only mode. The same problem applies to Apple iOS too. Specifically, we examine the life cycle of a BLE pairing process in Android and identify four severe design flaws. These design flaws can be exploited by attackers to perform downgrading attacks, forcing the BLE pairing protocols to run in the insecure mode without the users' awareness. To validate our findings, we selected and tested 18 popular BLE commercial products and our experimental results proved that downgrading attacks and MITM attacks were all possible to these products. All 3501 BLE apps from Androzoo are also subject to these attacks. For defense, we have designed and implemented a prototype of the Secure Connection Only mode on Android 8 through the Android Open Source Project (AOSP). We have reported the identified BLE pairing vulnerabilities to Bluetooth Special Interest Group (SIG), Google, Apple, Texas Instruments (TI) and all of them are actively addressing this issue. Google rated the reported security flaw a High Severity.

Shan Wang, Ming Yang, Tingjian Ge et al.

Chain of custody is needed to document the sequence of custody of sensitive big data. In this paper, we design a blockchain big-data sharing system (BBS) based on Hyperledger Fabric. We denote the data stored outside of a ledger for sharing as "off-state" and "big data" (referring to extremely large data) is in this category. In our off-state sharing protocol, a sender registers a file with BBS for sharing. To acquire the file, an authenticated and authorized receiver has to use transactions and interacts with BBS in four phases, including the file transfer request, encrypted file transfer, key retrieval, and file decryption. The corresponding transactions are recorded in the ledger and serve as chain of custody to document the trail of the data. Compared with related work, BBS can perform the four phases autonomously. It utilizes the permissioned blockchain, i.e. Hyperledger Fabric, for access control and can defeat dishonest receivers. We design and implement a prototype of BBS for big file sharing. Extensive experiments were performed to validate its feasibility and performance.

Shan Wang, Ming Yang, Tingjian Ge et al.

Blockchain has been applied to data sharing to ensure the integrity of data and chain of custody. Sharing big data such as large biomedical data files is a challenge to blockchain systems since the ledger is not designed to maintain big files, access control is an issue, and users may be dishonest. We call big data such as big files stored outside of a ledger that includes the blockchain and world state at a blockchain node as "off-state" and propose an off-state sharing protocol for a blockchain system to share big data between pairs of nodes. In our protocol, only encrypted files are transferred. The cryptographic key is stored in the world state in a secure way and can be accessed only by authorized parties. A receiver has to request the corresponding cryptographic key from the sender to decrypt such encrypted files. All requests are run through transactions to establish reliable chain of custody. We design and implement a prototypical blockchain off-state sharing system, BOSS, with Hyperledger Fabric. Extensive experiments were performed to validate the feasibility and performance of BOSS.

Kaizheng Liu, Ming Yang, Zhen Ling et al.

IoT security and privacy has raised grave concerns. Efforts have been made to design tools to identify and understand vulnerabilities of IoT systems. Most of the existing protocol security analysis techniques rely on a well understanding of the underlying communication protocols. In this paper, we systematically present the first manual reverse engineering framework for discovering communication protocols of embedded Linux based IoT systems. We have successfully applied our framework to reverse engineer a number of IoT systems. As an example, we present a detailed use of the framework reverse-engineering the WeMo smart plug communication protocol by extracting the firmware from the flash, performing static and dynamic analysis of the firmware and analyzing network traffic. The discovered protocol exposes severe design flaws that allow attackers to control or deny the service of victim plugs. Our manual reverse engineering framework is generic and can be applied to both read-only and writable Embedded Linux filesystems.

Lan Luo, Yue Zhang, Cliff C. Zou et al.

Internet of Things (IoT) devices have been increasingly integrated into our daily life. However, such smart devices suffer a broad attack surface. Particularly, attacks targeting the device software at runtime are challenging to defend against if IoT devices use resource-constrained microcontrollers (MCUs). TrustZone-M, a TrustZone extension for MCUs, is an emerging security technique fortifying MCU based IoT devices. This paper presents the first security analysis of potential software security issues in TrustZone-M enabled MCUs. We explore the stack-based buffer overflow (BOF) attack for code injection, return-oriented programming (ROP) attack, heap-based BOF attack, format string attack, and attacks against Non-secure Callable (NSC) functions in the context of TrustZone-M. We validate these attacks using the TrustZone-M enabled SAM L11 MCU. Strategies to mitigate these software attacks are also discussed.

Zhen Ling, Kaizheng Liu, Yiling Xu et al.

In this paper, we present an end-to-end view of IoT security and privacy and a case study. Our contribution is three-fold. First, we present our end-to-end view of an IoT system and this view can guide risk assessment and design of an IoT system. We identify 10 basic IoT functionalities that are related to security and privacy. Based on this view, we systematically present security and privacy requirements in terms of IoT system, software, networking and big data analytics in the cloud. Second, using the end-to-end view of IoT security and privacy, we present a vulnerability analysis of the Edimax IP camera system. We are the first to exploit this system and have identified various attacks that can fully control all the cameras from the manufacturer. Our real-world experiments demonstrate the effectiveness of the discovered attacks and raise the alarms again for the IoT manufacturers. Third, such vulnerabilities found in the exploit of Edimax cameras and our previous exploit of Edimax smartplugs can lead to another wave of Mirai attacks, which can be either botnets or worm attacks. To systematically understand the damage of the Mirai malware, we model propagation of the Mirai and use the simulations to validate the modeling. The work in this paper raises the alarm again for the IoT device manufacturers to better secure their products in order to prevent malware attacks like Mirai.

Qinggang Yue, Zhen Ling, Benyuan Liu et al.

In this paper, we introduce a novel computer vision based attack that discloses inputs on a touch enabled device, while the attacker cannot see any text or popups from a video of the victim tapping on the touch screen. In the attack, we use the optical flow algorithm to identify touching frames where the finger touches the screen surface. We innovatively use intersections of detected edges of the touch screen to derive the homography matrix mapping the touch screen surface in video frames to a reference image of the virtual keyboard. We analyze the shadow formation around the fingertip and use the k-means clustering algorithm to identify touched points. Homography can then map these touched points to keys of the virtual keyboard. Our work is substantially different from existing work. We target password input and are able to achieve a high success rate. We target scenarios like classrooms, conferences and similar gathering places and use a webcam or smartphone camera. In these scenes, single-lens reflex (SLR) cameras and high-end camcorders used in related work will appear suspicious. To defeat such computer vision based attacks, we design, implement and evaluate the Privacy Enhancing Keyboard (PEK) where a randomized virtual keyboard is used to input sensitive information.